Asset Management Insights - May 2016

May 2016

Securities Industry Should Tighten Cybersecurity Controls And Procedures As Regulatory Pressure Intensifies

Download PDF Version

Financial regulators are tightening their grip on cybersecurity issues. In early January, the Financial Industry Regulatory Authority (FINRA) addressed the measures it would take this year to review firms’ cybersecurity risk management practices. This follows the SEC’s Office of Compliance Inspections and Examinations (OCIE) rollout of a second round of examinations on cyber-related controls and procedures in the securities industry. In its September 2015 Risk Alert, the OCIE announced an update to its Cybersecurity Examination Initiative, identifying a number of critical areas it will test to assess cybersecurity preparedness, including the ability to protect broker-dealer customer and investment advisor client information.

In March, the SEC announced the creation of the Office of Risk and Strategy within the OCIE. The new office, led by Peter B. Driscoll, will “consolidate and streamline the OCIE’s risk assessment, market surveillance, and quantitative analysis teams and provide operational risk management and organizational strategy for OCIE.”


FINRA’s annual Regulatory and Examination Priorities Letter, issued in January 2016, stresses concerns about shortcomings in securities firms’ technology systems and cybersecurity defenses. The supervision and risk management of firms’ cybersecurity, technology management, and data quality and governance will be closely examined in 2016. FINRA’s letter calls attention to a number of specific problem areas, including:
  • The ability to protect confidentiality, integrity and availability of sensitive customer and other information, including compliance with SEC Regulation S-P and Securities Exchange Act Rule 17a-4(f).
  • High-frequency and proprietary trading firms’ ability to protect their systems from unauthorized access that could be used to affect the market.
  • Supervision of back office and vendor system changes; change management practices for algorithms will be closely scrutinized, as will changes from legacy to new compliance systems.
  • Data governance, quality controls and reporting practices to ensure the accuracy, completeness, consistency and timeliness of data reported to firm management and to firms’ surveillance and supervisory systems.

FINRA’s cybersecurity focus aligns neatly with efforts underway by the SEC. In April 2014, the OCIE initiated a series of examinations on cybersecurity risks in the securities industry, which identified a variety of cyber-related legal, regulatory and compliance issues published in a February 2015 report. Cybersecurity compliance and controls became the focus of OCIE’s 2015 Examination Priorities, prompting an announcement in September 2015 that a new round of examinations would be conducted around firm cybersecurity procedures and controls. Shortly thereafter, the SEC released its first enforcement action against a securities firm for inadequate cyber safeguards, charging the investment adviser with a failure to “establish the required cybersecurity policies and procedures in advance of a breach.”

Further, the establishment of the new Office of Risk and Strategy and appointment of Peter Driscoll in the OCIE signals an additional layer of oversight and scrutiny on the OCIE’s priorities related to cybersecurity specifically and risk broadly. ThinkAdvisor reports public comments from Driscoll suggesting that funds and fund advisors would “continue to be a big focus” for the OCIE in 2016, and the “focus on hedge funds will zero in on such areas as portfolio management trading and back-office operations.”

While more guidance is expected soon, it has previously been announced that the OCIE will be focusing its review on cyber-related policies, procedures and practices in these key areas:
  • Governance and risk assessment
  • Access rights and controls
  • Data loss prevention
  • Vendor management
  • Training
  • Incident response

BDO Insights

Regulators expect that these reviews and additional regulatory oversight will prompt securities firms to closely examine their own vulnerabilities and practices, and find ways to tighten existing gaps. As the nature of cyber breaches continues to evolve at a rapid pace, it would behoove firms to renew their focus on information governance and access controls, and implement ongoing defensive measures that continuously scan for new weaknesses and threats. FINRA clearly stated its intentions to assess the abilities of high frequency and proprietary trading firms to protect data, so organizations leveraging automated trading platforms should be especially vigilant. Similarly, the creation of the Office and Risk Strategy group suggests that OCIE is stepping up its cybersecurity enforcement, with an eye on hedge funds in particular.

Also of note, included in the sample list of information that the OCIE may review in conducting examinations of registered entities are the board’s minutes and briefings regarding cybersecurity matters. While the guidance is not explicit, it implies an expectation that the board is not only informed, but also playing an active role in the firm’s cybersecurity strategy. FINRA also announced its plans to review reporting practices to firm management, as well as to firms’ surveillance and supervisory systems, focusing on the accuracy, completeness, consistency and timeliness of the reports. We will likely see additional guidance from regulators on board oversight and reporting in the future, but in the interim, the board should request cyber updates at regular intervals and work with management, IT and internal auditors to get educated and ask the right strategic questions.

While firms should take steps to protect their data and detect cyber attacks early on, no defense is impenetrable. Securities firms are expected to have an incident response plan in place that enables them to rapidly detect, respond and mitigate the potential consequences of a future breach.

Financial services firms are well-advised to seek assistance from consultants and technology specialists experienced in developing risk management frameworks and strategies to navigate complex security and compliance issues. BDO has deep experience in conducting cybersecurity risk assessments, cyber risk management strategy and program design, security architecture and transformation, incident response planning and execution, digital forensics and cyber investigations, as well as cyber insurance claim preparation and coverage adequacy evaluation. 

For more information about how securities firms can improve their cybersecurity prepardness, please contact: 

For more financial services-related information, please visit BDO's Asset Management page. If you are interested in learning more about these matters, BDO has a team of advisors available to help. Contact information for our advisors is listed below.

Shahryar Shaghaghi
National Leader, Technology Advisory Services & Head of International BDO Cybersecurity

Keith McGowan
Asset Management & Broker Dealers National Practice Leader and Assurance Partner

Tim Mohr 
BDO Consulting Financial Services Advisory National Practice Leader